[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

15 minutes ago, CHBMB said:

 

There are two issues at play.  Firstly LetsEncrypt have changed the method used to issue certs.  The second issue is Unraid itself on v6.4.0 has implemented a system using LetsEncrypt.

 

It sounds like you've sorted the first issue, in that your certs have been issued.  Whether the second issue is contributing to your ongoing problem I couldn't say, but it may be worth delving into.

 

Yeah, I read about unraid 6.4 using port 443, but I changed that to another port right away to avoid conflicts. I still don't get how my own PC is the only client unable to connect when I had no issues prior to this, though.. I don't think upgrading to 6.4 had any impact on me not being able to connect, as it was happening before that.. Haven't made any changes to my router either, so I don't think NAT is the issue either.. I just tested again, as I was using local ip:port before, but hadn't tried public ip:port, and seems I can't connect using public ip:port either, but using the same method works for other devices. All attempts from my PC except local ip:port results in timeout errors.. I can ping both the url and public ip as well, so it seems like it just doesn't redirect from my IP or my PC is blocked somehow? if that even makes sense..

Link to comment

publicip:port will only work if you have forwarded the relevant port.

 

To be honest I'm confused, what I think the situation is, is this.

 

From a WAN connection everything is working as expected.

When on your LAN you can't connect via domainname.com/service

 

Is that's the case, and it was happening before, still sounds like NAT reflection / hairpin NAT issues to me.

Link to comment

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

Link to comment
17 minutes ago, jonathanm said:

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

 

That was originally what was planned, unfortunately, due to the fact template changes are now propagated from our github repo by some CA skullduggery, once we introduced the option of HTTPVAL it came down and affected everyone, if it hadn't been for that, the issue would have been just simmering once in a while for everyone over the next 3 months......

 

I'll point @aptalca this way, see what he thinks.

Link to comment
29 minutes ago, jonathanm said:

Can I make a request? I would like to be able to toggle the LE automation using a docker environment variable so that we can start the container without the renewal logic, just start NGINX with existing credentials.

 

I know in the long run that's probably a bad fix, but for now it would be helpful to get people back running without having to set up another container and migrating configs.

 

If you're not using unraid 6.4.0, there won't be revalidation until your certs expire. But as chbmb mentioned, new unraid pushes template updates, including newly added variables, which I wasn't aware of. That caused revalidation. 

 

Or, you can switch the image to nginx instead of letsencrypt and it will start without the letsencrypt bits. 

Link to comment
1 minute ago, PaDadof2 said:

Can anyone help me understand why I can access mydomain.duckdns.org/ombi on LTE using my cell phone, but when I try to access that using my laptop connected to my network, I get a privacy error on chrome or a 404 error (from my edgerouter) when I use firefox?

Most likely an issue with your router not accepting loopback connections.

 

I initially had this issue with my PFsense setup and had to enable 1:1 NAT Reflection to get this to work.

 

Might want to take a look here: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

Link to comment
3 hours ago, riffles21 said:

 

I have exactly the same issue. It was running fine last week and now all of a sudden it stopped working.

 

Maybe it has something to do with this: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

 

Edit: solved the problem, thanks @CHBMB. Set HTTPVAL to 'true' and forwarded external port 80 to internal 81.

 

image.thumb.png.9d4cf5c49e54d089280165782a8fae5e.png

 

@riffles21 where is this HTTPVAL? I cant find it?

 

Edit: ignore me. Found it.

Edited by mrangryoven
Link to comment
2 minutes ago, IndianaJoe1216 said:

Most likely an issue with your router not accepting loopback connections.

 

I initially had this issue with my PFsense setup and had to enable 1:1 NAT Reflection to get this to work.

 

Might want to take a look here: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

I have and Edgerouter X, and when I click the Hairpin Nat, I get an error, Failed to apply the configuration ("lan-interface" is required when hairpin NAT .  I have nothing checked under lan interface, but have Wan interface set to eth0.  I tried to add eth0 to Lan interface, but get another error.  I'm an idiot and I'm not sure what I'm doing with my router

Link to comment

I see the last update made it though for most of us... I've read about the last 5 pages and I seem to be the first with this issue "port already in use".

I get "Execution Error" which means I cannot even start the docker. I've updated to unraid 6.4.0, does it have something to do with it?

 

See below in box and/or screenshot. I've tried to change the 443 port to like 445 but same error then... 

 

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="*****@******.***" -e "URL"="********" -e "SUBDOMAINS"="www,*******," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
078c988ab78bd5a856f7a2781cadaaca44e54611c5f91b03c896236175364696
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (8c666828f2c390c48772f4d9a78444293262b1bd6cf74c3aaf9edc400a71f669): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use.

The command failed.

 

 

alreadyinuse.PNG

Edited by truetype
Link to comment
1 minute ago, truetype said:

I see the last update made it though for most of us... I've read about the last 5 pages and I seem to be the first with this issue "port already in use".

I get "Execution Error" which means I cannot even start the docker. I've updated to unraid 6.4.0, does it have something to do with it?

 

See below in box and/or screenshot. I've tried to change the 443 port to like 445 but same error then... I

 


Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="*****@******.***" -e "URL"="********" -e "SUBDOMAINS"="www,*******," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
078c988ab78bd5a856f7a2781cadaaca44e54611c5f91b03c896236175364696
/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (8c666828f2c390c48772f4d9a78444293262b1bd6cf74c3aaf9edc400a71f669): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use.

The command failed.

 

 

alreadyinuse.PNG

 

Don't use 445 as it's used for something else. Don't ask me what, as I don't remember. 

Change it to 4443 and check that it's not in use. Remember to also change the port forward in your router.

Edited by saarg
Link to comment

I'm really struggling with this as well guys.  Been doing all the required reading and browsing through everyone's comments without luck.  I've done the following:

 

  • Upgraded to 6.4.0 (was previously on 6.3.5 and it wasn't working then either)
  • Due to 6.4.0 upgrade, I changed the default SSL port for UNRAID to 444
  • Ensured HTTPVAL is set to true.
  • Removed and re-added http container port
  • Changed container http container port to 8083
  • Ensured port forwarding is working for port 8083 via telnet

 

What am I missing guys?  This shouldn't be this difficult...

UNRAID - B.png

UNRAID - C.png

UNRAID - D.png

UNRAID - E.png

UNRAID - A.png

Link to comment

@irandumi - it's hard to tell from your port-forward screen shot, but it looks like you're not forwarding 443 to your unRAID server, but you are forwarding 8083(?) to 80. Try adding the 443 forward to 192.168.0.122 (?).

 

(adjust the numbers as necessary - I'm squinting at a small, blurry screen shot and my eyes aren't quite as good as they used to be)

  • Like 1
Link to comment
8 minutes ago, irandumi said:
  • Changed container http container port to 8083
  • Ensured port forwarding is working for port 8083 via telnet

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

Link to comment
42 minutes ago, IndianaJoe1216 said:

Most likely an issue with your router not accepting loopback connections.

 

I initially had this issue with my PFsense setup and had to enable 1:1 NAT Reflection to get this to work.

 

Might want to take a look here: https://help.ubnt.com/hc/en-us/articles/204952134-EdgeRouter-NAT-Hairpin-Nat-Inside-to-Inside-Loopback-Reflection-

This was it!  Thank you for the help.

Link to comment
3 minutes ago, CHBMB said:

@irandumi

 

You don't control duckdns.org, so try using subdomain.duckdns.org in DOMAIN NAME, remove SUBDOMAIN from SUBDOMAINS and set ONLY SUBDOMAINS to false if @FreeMan's suggestion doesn't work.

 

Dang! missed that one.

 

Just now, jonathanm said:

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

 

and that one....

 

maybe I should go back to sleep. Sorry @irandumi...

Link to comment
4 hours ago, upthetoon said:

Sorry to add to the list of people with probably obvious issues but I'm having trouble getting this working too.

 

I've been using it through the RC's and have unraid set to port 444 to avoid the clash.  It was working fine before the CA change.

 

I've followed the instructions above (thank you) and set the HTTPVAL flag to true.

 

I'm using port 81 for the docker and have port 80 fwd to 81 in my router.

 

I'm getting this error which I can't see is happening for anyone else...

 


Failed authorization procedure. <redacted>.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://<redacted>.unraid.net:444/.well-known/acme-challenge/QaX0x01RBkOvVSiPIP5VlKlhGyQDYNZXTuanOrzQ-n0: Invalid port in redirect target. Only ports 80 and 443 are supported, not 444

 


Startup command;

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/London" -e HOST_OS="unRAID" -e "EMAIL"="<redacted>" -e "URL"="duckdns.org" -e "SUBDOMAINS"="<redacted>" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

 

This got lost in all the replies I think. 

 

Invalid port in redirect target. Only ports 80 and 443 are supported, not 444

 error anyone?

Link to comment
11 minutes ago, FreeMan said:

@irandumi - it's hard to tell from your port-forward screen shot, but it looks like you're not forwarding 443 to your unRAID server, but you are forwarding 8083(?) to 80. Try adding the 443 forward to 192.168.0.122 (?).

 

(adjust the numbers as necessary - I'm squinting at a small, blurry screen shot and my eyes aren't quite as good as they used to be)

 

443 is forwarded.  If there is no input for Int (Internal port), then it uses the same port (443).  Regardless, I added 443 just to be safe.  No luck.

 

10 minutes ago, CHBMB said:

@irandumi

 

You don't control duckdns.org, so try using subdomain.duckdns.org in DOMAIN NAME, remove SUBDOMAIN from SUBDOMAINS and set ONLY SUBDOMAINS to false if @FreeMan's suggestion doesn't work.

 

As you suggested, I modified the DOMAIN NAME to include my subdomain,  I removed the SUBDOMAIN(S) variable, changed 'ONLY SUBDOMAINS' to 'false' and restarted the docker.  Same results.

 

7 minutes ago, jonathanm said:

Your router is set to forward EXTERNAL 8083 to INTERNAL 80. Swap that, so when LE talks to port 80 on your WAN, your router sends it to 8083 on unraid, which sends it back to the LE docker on 80.

 

You've got internal and external switched in your router.

 

I just did what you suggested and still no luck...

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.